"An adversary's physical access to a mobile device often makes existing security controls fail - why? This speaking session will demonstrate creative methods to exploit endpoints - that is, mobile units. It will include hands-on demonstrations of coldboot attacks, hacking through FireWire and how to locate encryption keys in mobile device RAM. Potential countermeasures are outlined, and we'll focus on why end point security is important - and difficult."

Bring your laptop and willingness to write ten simple lines of code in
Perl, Python, or Ruby. Even if you can't code, come by and learn to use
Shodan the computer search engine through the web interface. While the
speaker will share a tiny bit of what he did with this tool, the focus
will be on what you could be using it for...this is a interactive
workshop, not a boring seminar.

Eireann Leverett spent six months working with 'Shodan the computer
search engine'. It's an under-rated tool that was developed by John
Matherly. John has given you a surprisingly big gift, why not learn to use it?

"An adversary's physical access to a mobile device often makes existing security controls fail - why? This speaking session will demonstrate creative methods to exploit endpoints - that is, mobile units. It will include hands-on demonstrations of coldboot attacks, hacking through FireWire and how to locate encryption keys in mobile device RAM. Potential countermeasures are outlined, and we'll focus on why end point security is important - and difficult."

Medlemsmøte: Torsdag 12. mai kl 17:15 - 19:15

The Image that called me - Security impact of Scalable Vector Graphics on the WWW - Mario Heiderich

Scalable Vector Graphics are about to conquer the web. Unlike most of their raster based companions from the GIF, PNG and JPEG
family, their vector based structure allows to display them on many different devices with various screen sizes without losing
visual information. The open XML based SVG sources permit addition of meta data, helping even the visually impaired and blind
to get the most out of these images. Additional modules, such as animations, events, SVG fonts, several scripting APIs and
inclusion of hyper-links, other images and documents and even arbitrary content from cross-domain sources make SVG the perfect
image format for the future WWW.

Nevertheless, a powerful standard such as SVG certainly poses a lot of risks. This presentation provides a close look at SVG
from a security perspective. How can attackers abuse this mighty image format, which ways exist to execute script code and
worse, and what should web developers and browser vendors consider when dealing with SVG. How will HTML5 change the way to
work with SVGs and why does it matter for security professionals to know about things like SVG Tiny, in-line SVG, SVGz and
other acronyms from a world where imaging and scripting collide? Besides many examples of malicious SVGs the talk will shed
light on a novel filtering tool capable of filtering and sanitizing SVG images without loss of important content.

Cross Site Scripting has been a topic in countless presentations over the last decade. That easy to grasp but hard to solve
problem has been shaking the web and caused major trouble on hundreds to thousands of high traffic and commercial and well as
governmental websites. Mitigation techniques have been developed and discussed in depth - starting with restrictive content
filters, educational programs and trainings, programmer's best practices and guidelines, proxy filters and many more. Still
XSS remains a major problem far from being solved. The multilayer model on which the web relies causes too much reciprocity to
find an easy cure - and the DOM as the actually affected layer is still lying unprotected open for the attacker.

This presentation introduces and discusses a novel approach of encountering XSS and similar attack techniques by making use of
several new features included in the ECMA Script 5 specification draft. It will be shown how to create a simple JavaScript to
seal important DOM properties, and take away the attackers ability to read and modify sensitive data in a tamper resistant and
light-weighted way - without being "too loud". Modern browsers, such as Chrome 8 and Firefox 4, for the first time provide the
possibility of creating and using client side IDS/IPS systems, written in JavaScript and running without special execution
privileges. The presentation will show how these work, what the implications are, and what the future of XSS mitigation and
eradication might look like.

Speaker:Mario Heiderich works as a researcher for the Ruhr-University in Bochum, Germany as well as Microsoft, Redmond and currently
focuses on HTML5, SVG security and security implications of the ES5 specification draft while finishing his PhD thesis. Mario
invoked the HTML5 security cheat-sheet and maintains the PHPIDS filter rules. In his spare time he delivers trainings and
security consultancy for larger German and international companies. He is also one of the co-authors of Web Application
Obfuscation: '-/WAFs..Evasion..Filters/